TERMS AND CONDITIONS OF PERSONAL DATA PROCESSING

Effective from September 4, 2025

These personal data processing terms (hereinafter referred to as “Terms”) set out the principles for the processing of personal data by HEATONBALTIC OÜ, registry code 17324178, website Heaton.ee (hereinafter referred to as “we” or “us”), acting as the data controller for your personal data.

When acting as an authorized processor, we operate in accordance with data processing agreements concluded between us and the data controllers, as well as applicable legislation. Furthermore, as a data controller, we ensure the processing of personal data in accordance with relevant legal acts, and we also keep confidential (subject to any applicable exceptions) and secure all other data disclosed to us that is subject to a confidentiality obligation.

Before using the website and entering into a contract with us, please read these Terms carefully. If you do not agree with the Terms, please discontinue using the website or do not enter into a contractual relationship with us.

We reserve the right to update the Terms from time to time, by notifying you on our website and/or via email.

1. CATEGORIES OF PERSONAL DATA

To achieve the purposes set out in these Terms, we process some or all of the following personal data. The exact scope of personal data processed varies for each case, but we always adhere to the principle of processing as little personal data as necessary to achieve the purpose:

    • first and last name;

    • personal identification code;

    • delivery address for goods and installation address for equipment;

    • email address;

    • phone number;

    • purchase history;

    • remotely readable data related to the client’s use of equipment, to ensure the functioning of equipment and services (e.g., consumption costs, error codes, user-selected settings);

    • data on direct marketing consents and opt-outs;

    • other personal data that becomes known to us in the ordinary course of providing services or during communication with individuals.

We also collect non-personal information, including data on website visit duration, number of clicks, and user behavior, but we do so solely for analysis and to improve website usability. We only use secure services, such as Google Analytics. We also compile relevant statistical summaries for business purposes, but in doing so, your personal data is converted into anonymized data, which is stored in a secure data repository.

2. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING

We process personal data when it is necessary to enable the use of the website (including the e-shop) or to fulfill our contractual obligations to you. We process your: (i) name, personal identification code, contact details, and address for the preparation and management of contracts and orders, for the provision of services and goods, and for the installation and delivery of goods; (ii) payment instrument data to enable payment for services and goods and to process refunds; (iii) payment history and information related to debts for managing the client relationship and billing. We also process your personal data for sending communications related to contractual relationships, including responding to your comments, questions, and requests.

If you call us or send us emails, we process your personal data (including storing emails and, upon appropriate notification, recording calls) to respond to your inquiries and improve the quality of customer service. In such cases, your personal data is processed based on our legitimate interest in ensuring smooth customer support.

Based on our legitimate interests, we process data related to solvency assessment, such as credit reports concerning you (e.g., taust.ee and accountscoring.com) and bank statements shared by you with us. We process data related to solvency solely for the purpose of verifying the trustworthiness and solvency of potential clients.

Based on our legitimate interest, we also process purchase history data (purchase date, item, quantity, client data) to compile overviews of goods and services and analyze client preferences.

We may also process your personal data to fulfill obligations stipulated in legal acts, for example, to ensure the protection of personal data, to retain personal data for any period necessary to fulfill legal obligations (e.g., for accounting purposes), and to fulfill other obligations arising from applicable legislation.

We may process your personal data in the event of any disputes between us, to protect our legitimate interests.

With your consent, we process your personal data to send you newsletters, blog updates, advertisements, marketing, and other information via email. You can unsubscribe from such mailing lists at any time by clicking the corresponding button in the email footer.

We will always ask for your prior explicit consent for processing personal data if we use it for purposes not outlined in these Terms. You can withdraw such consent at any time.

3. SECURITY MEASURES

We process personal data only when there is a legal basis and solely for legitimate purposes. We employ security measures and store personal data in a manner that ensures its security and confidentiality. Personal data is accessible only to individuals for whom it is necessary in connection with their job duties or to whom the disclosure of personal data is in accordance with these Terms or applicable legislation.

We implement appropriate physical, organizational, and IT security measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized access and disclosure.

Personal data is stored on servers located in the territory of a European Union member state or countries affiliated with the European Economic Area. Data may be transferred to countries whose level of data protection has been deemed adequate by the European Commission.

We are not responsible for any misuse of your personal data resulting from malware on your device.

4. RECIPIENTS

We have the right to disclose and transfer personal data without your prior consent to authorized processors acting on our behalf and under appropriate data processing agreements, including equipment installers, suppliers and vendors, product and service developers, credit registries, accountants, IT solutions/development and data hosting and analytics service providers, transport and installment payment service providers. We also transfer data to fulfill obligations arising from applicable legislation. To protect our rights, we have the right to disclose personal data to third parties, including debt default registries and similar third parties for debt collection (collection service), legal advisors, auditors, etc.

We may provide marketing service providers (digital marketing, direct marketing, campaigns, special offers) (e.g., Facebook) with access to personal data collected and stored within the scope of our marketing campaigns. In such cases, these marketing service providers become authorized personal data processors on our behalf.

A precise list of our authorized personal data processors and the content of processing operations is provided below:

5. DELETION AND RETENTION

We retain personal data only for as long as necessary to achieve the purposes described in these Terms, to protect our rights, or to fulfill obligations arising from applicable legislation. We restrict the processing of your personal data and process it only when necessary.

Personal data is retained for up to 5 years from the end of the client relationship, with the exception of personal data related to the fulfillment of a contract concluded with the client (including debts), which is retained for up to 10 years from the end of the client relationship. Upon expiry of the aforementioned periods, the respective personal data will be deleted, unless the processing of personal data is necessary due to circumstances to protect our legitimate interests, e.g., in the event of contractual or other disputes between us (including due to ongoing disputes). We also have the right, after the aforementioned periods, to anonymize personal data, i.e., to process personal data in such a way that it can no longer be considered personal data.

To fulfill accounting requirements, we retain original accounting documents for 7 years from the end of the financial year in which the original document was recorded in accounting.

Regardless of the termination of the client relationship, with the client’s prior consent, we may process the user’s personal data for direct marketing until the user has withdrawn their consent. If an individual prohibits direct marketing (withdraws consent) and there is no other legal basis for processing, information about the prohibition will be retained to the necessary extent to ensure compliance with the direct marketing communication ban.

We have the right to process anonymized data (including personal data that has been irreversibly transformed so that it cannot be linked to any identifiable natural person) both during and after the validity of our agreement, and to allow processing by cooperation partners for the purpose of developing our services and solutions and for statistical analysis.

6. YOUR RIGHTS

You may request information from us at any time regarding the processing of your personal data. In accordance with applicable legislation, you have or may have the right to:

    • request the deletion of your personal data;

    • request the rectification of your personal data;

    • request the restriction of the processing of your personal data, but in such a case, you may not be able to fully use our website or services;

    • object to the use of your personal data;

    • the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller.

If we process personal data based on consent, you may withdraw your consent at any time, in which case the processing of personal data will cease. This does not affect processing operations carried out previously.

We respond to inquiries as quickly as possible, taking into account deadlines arising from applicable legislation.

7. COOKIES

We use cookies on our website. Cookies are small text files that are stored on the visitor’s device by the web browser when visiting the website. Cookies remember you and your preferences so that we can provide you with relevant information, recommendations, and improve the user experience.

Among the cookies used are essential cookies, which are necessary to ensure the functioning of the website. In addition, we use cookies to analyze website traffic, but we ask for your consent for the use of such cookies. You can disable the use of cookies in your web browser settings. The cookies we use do not allow for personal identification. Furthermore, we may share website usage data with our social media and advertising partners and analysts, who may combine the data with other data available to them.

8. INQUIRIES AND COMPLAINTS

For questions or complaints related to personal data processing, please contact us via email at kontakt[at]heaton.ee or the Estonian Data Protection Inspectorate (info@aki.ee; +372 627 4135).